Security audit

Jarvis Core

Security checks across malware telemetry and agentic risk

Overview

This assistant-memory skill is not clearly malicious, but it asks for broad automatic access to sensitive memories and proactive monitoring without enough user control.

Review carefully before installing. Only use this skill if you intentionally want a highly persistent assistant that can read and reuse prior memory, and avoid it for shared machines, sensitive work, or multi-person/character data unless the publisher adds explicit opt-in, deletion, scoping, and audit controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (17)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The README describes proactive monitoring of user context such as calendar state, inactivity windows, and prior behavior patterns to trigger unsolicited reminders. Even if framed as helpful, this is broad behavioral surveillance for a general assistant and is not paired with a clear consent model, scope limitation, or access boundary. In a cross-session skill, that creates meaningful privacy and autonomy risks.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill claims to be a general assistant core, but the README says it can read and write all characters' memories for social simulation analysis. That is a major privilege expansion beyond ordinary assistant functionality and enables aggregation and modification of sensitive data about multiple parties, not just the primary user. The mismatch between stated purpose and effective capability makes misuse and over-collection much more dangerous.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Cross-character read/write memory access is highly sensitive and not justified by the README's positioning as a general-purpose assistant core. This capability permits the assistant to inspect and alter records for multiple people, which can expose private data, contaminate memory integrity, and enable manipulative or biased relationship analysis. In the context of a personality-driven autonomous assistant, that elevated access is especially risky.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The README makes an absolute privacy claim that all data stays local and never goes to the cloud, while also advertising compatibility across multiple agent platforms and SDKs. That combination is misleading unless platform-specific data flow constraints are clearly documented, because many agent runtimes may transmit prompts, memory, or telemetry off-device. Overstated privacy assurances can cause users to expose sensitive data under false assumptions.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The skill specifies proactive real-time/push notification behavior ('双通道通知 Boss', including real-time push) in a general assistant core without showing a tightly scoped permission or user-controlled consent flow. That broadens the assistant from reactive help into unsolicited outreach, which can leak sensitive state, create surprise side effects, or be abused to nag/manipulate the user outside the active session.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The deep-recall design includes commands like '回忆全部/回忆所有' and broad default cross-session loading semantics that can retrieve large amounts of historical memory unrelated to the current task. In a general assistant, unrestricted recall increases exposure of sensitive prior conversations, creates over-collection by default, and raises the chance of private data being surfaced in the wrong context.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README promotes cross-session memory, emotional history, relationship patterns, and personal-data analysis without an upfront privacy warning or informed-consent mechanism. For a skill that stores and infers sensitive behavioral and interpersonal information, burying the privacy implications in descriptive text is insufficient. Users may not realize the extent of retention, profiling, and inference being performed.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README describes proactive calendar scanning, inactivity tracking, and unsolicited reminders, but does not state that these behaviors require explicit user approval. This can surprise users and normalize continuous background observation by an assistant that appears general-purpose. The risk is amplified because the feature is framed as autonomous and context-aware rather than narrowly user-triggered.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill defines automatic startup behavior for every new session without a clear user invocation boundary, which can cause it to activate privileged behaviors before the user asks for them. In this file, that broad trigger is paired with automatic file reads and summaries, so unintended activation can expose or process user data unnecessarily.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The startup ritual instructs the agent to automatically read multiple memory and user files at session start and then summarize them, with no explicit privacy notice or fresh consent. This creates a direct path for over-collection and resurfacing of prior user data even when it is not needed for the current request.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill requires automatic loading of a supplemental file on every new session, again without user warning or task-based need. This expands the trusted instruction surface and can silently import additional behaviors, prompts, or data-handling rules outside the user's awareness.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This section directs ongoing collection and storage of user emotional history, relationship dynamics, and inferred patterns, but does not include an explicit privacy warning or meaningful consent language. Because these are highly sensitive inferences rather than just user-provided facts, silent persistence materially increases privacy risk and can enable profiling beyond user expectations.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The appendix describes automatic loading of broad cross-session memory and manual commands to retrieve all history, yet it lacks any explicit warning about privacy, sensitive data exposure, or safe-use boundaries. This makes it easy for the assistant to surface old private details unexpectedly, especially across projects, relationships, or emotional contexts.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The startup ritual instructs the agent to read persistent memory sources and immediately produce a summary of prior activity and notes for every new session. That creates a natural-language data resurfacing mechanism that can reveal sensitive historical context without a current need-to-know check or user request.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The skill encourages ongoing memory retention, index updates, task checks, and relationship-pattern scanning, which normalizes persistent collection and inference about the user over time. In a general-purpose assistant, this increases privacy risk because it broadens both what is stored and what can later be inferred or surfaced from natural-language memory.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The skill instructs the system to persist emotional history and conversation-derived private details across sessions, then proactively bring those inferences back into future interactions. That is dangerous because it operationalizes sensitive profiling and resurfacing of inferred personal traits or relationship dynamics, which can be intrusive, harmful, or inconsistent with user expectations and privacy norms.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The deep-recall commands and defaults encourage broad retrieval of all historical user memory, including 'load all history' semantics, without strong scope constraints. In practice this can expose unrelated sensitive material from prior sessions and creates a dangerous default where the assistant accesses more personal data than is necessary for the present task.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.